This guide is for root administrators running WHM/cPanel on AlmaLinux 8, AlmaLinux 9, or AlmaLinux 10. It covers the two urgent jobs from the recent security wave: update cPanel for CVE-2026-41940, then update the AlmaLinux kernel for CVE-2026-31431 Copy Fail.
cPanel currently documents AlmaLinux 8 for cPanel 110 or later, AlmaLinux 9 for cPanel 114 or later, and AlmaLinux 10 for cPanel 132 or later. If your server is older, pinned, or running a vendor image that is not an official AlmaLinux upstream release, stop and plan a migration before you assume normal updates will save you.
Before You Touch The Server
Open a root shell through SSH, use a persistent terminal session, and make sure you have a current backup. A kernel update means a reboot, so do this during a maintenance window if the server hosts production sites.
screen -S cpanel-cve-patch
cat /etc/os-release
/usr/local/cpanel/cpanel -V
uname -r
df -h / /boot /usr/local/cpanel
If `/boot` is close to full, clean old kernels before updating. A failed kernel install because `/boot` ran out of space is a bad way to spend a night.
Step 1: Patch cPanel And WHM
CVE-2026-41940 is the cPanel and WHM authentication bypass. It is not fixed by a normal AlmaLinux kernel update. Update the cPanel application stack first, then verify the returned build.
/scripts/upcp --force
/usr/local/cpanel/cpanel -V
/scripts/restartsrv_cpsrvd --hard
cPanel lists patched branches in its advisory. If your WHM update tier is pinned, disabled, or stuck below a patched build, change the tier or migrate the server. Do not leave a public WHM service on an unpatched branch.
cat /etc/cpupdate.conf
whmapi1 get_tier
whmapi1 set_tier tier=RELEASE
/scripts/upcp --force
Step 2: Patch The AlmaLinux Kernel
CVE-2026-31431 Copy Fail is in the Linux kernel, not in cPanel itself. On AlmaLinux servers without live patching, use DNF to pull the fixed kernel, then reboot into it.
dnf clean metadata
dnf update kernel
dnf update
reboot
After the reboot, verify the server is actually running the new kernel. Installing a kernel package is not enough if the machine never booted into it.
uname -r
/usr/local/cpanel/cpanel -V
systemctl status cpanel --no-pager
/scripts/restartsrv_cpsrvd --status
For Copy Fail, cPanel noted fixed AlmaLinux baselines of `kernel-4.18.0-553.121.1.el8_10` for AlmaLinux 8, `kernel-5.14.0-611.49.2.el9_7` for AlmaLinux 9, and `kernel-6.12.0-124.52.2.el10_1` for AlmaLinux 10. Use your vendor repositories as the authority if newer builds are available.
Step 3: Check For cPanel Session IOCs
cPanel published a detection script for CVE-2026-41940 session indicators. Get the current script directly from cPanel’s advisory, save it on the server, inspect it, then run it as root.
- Open the official cPanel advisory.
- Download the current indicator-check script from cPanel.
- Review it locally before use.
- Run it as root during a maintenance or incident-response window.
- Keep findings private and rotate credentials if indicators are found.
If the script reports indicators, treat this as an incident. Rotate root and WHM user passwords, review `/usr/local/cpanel/logs/access_log`, audit SSH keys, check cron, and review recently modified web files under hosted accounts.
Emergency Mitigation If You Cannot Patch
If cPanel cannot be updated immediately, cPanel recommends blocking WHM/cPanel/Webmail ports or stopping the affected services. This is disruptive, but it is better than leaving a known authentication bypass exposed.
whmapi1 set_tweaksetting key=proxysubdomains value=0
/scripts/proxydomains remove
/scripts/rebuildhttpdconf
/scripts/restartsrv_httpd
whmapi1 configureservice service=cpsrvd enabled=0 monitored=0
whmapi1 configureservice service=cpdavd enabled=0 monitored=0
/scripts/restartsrv_cpsrvd --stop
/scripts/restartsrv_cpdavd --stop
For Copy Fail, if a kernel update is not available, follow cPanel or your OS vendor’s temporary mitigation guidance. Use it only as a temporary measure, test it first, and remove it after a patched kernel is installed.
- Review the cPanel and OS vendor advisory for the temporary mitigation.
- Test the mitigation on a non-production system or during a maintenance window.
- Document the change so it can be removed after the fixed kernel is installed.
- Reboot only after you have a rollback plan and console access.
